package at.gv.egiz.eaaf.core.impl.utils;

import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
import at.gv.egiz.eaaf.core.api.utils.IPendingRequestIdGenerationStrategy;
import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException;
import at.gv.egiz.eaaf.core.exceptions.EAAFException;
import at.gv.egiz.eaaf.core.exceptions.EAAFIllegalStateException;
import at.gv.egiz.eaaf.core.exceptions.PendingReqIdValidationException;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.Base64;
import javax.annotation.PostConstruct;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.apache.commons.lang3.StringUtils;
import org.joda.time.DateTime;
import org.joda.time.DurationFieldType;
import org.joda.time.format.DateTimeFormat;
import org.joda.time.format.DateTimeFormatter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.lang.NonNull;
import org.springframework.lang.Nullable;

/* loaded from: input_file:at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.class */
public class SecurePendingRequestIdGenerationStrategy implements IPendingRequestIdGenerationStrategy {

    @Autowired(required = true)
    IConfiguration baseConfig;
    public static final String CONFIG_PROP_PENDINGREQUESTID_DIGIST_SECRET = "core.pendingrequestid.digist.secret";
    public static final String CONFIG_PROP_PENDINGREQUESTID_DIGIST_ALGORITHM = "core.pendingrequestid.digist.algorithm";
    public static final String CONFIG_PROP_PENDINGREQUESTID_MAX_LIFETIME = "core.pendingrequestid.maxlifetime";
    public static final String DEFAULT_PENDINGREQUESTID_DIGIST_ALGORITHM = "HmacSHA256";
    public static final String DEFAULT_PENDINGREQUESTID_MAX_LIFETIME = "300";
    private static final int ENCODED_TOKEN_PARTS = 3;
    private static final String TOKEN_SEPARATOR = "|";
    private int maxPendingRequestIdLifeTime = 300;
    private final int maxPendingReqIdSize = 1024;
    private String digistAlgorithm = null;
    private SecretKey key = null;
    private final byte[] salt = "notRequiredInThisScenario".getBytes();
    private static final Logger log = LoggerFactory.getLogger(SecurePendingRequestIdGenerationStrategy.class);
    private static final DateTimeFormatter TOKEN_TEXTUAL_DATE_FORMAT = DateTimeFormat.forPattern("yyyy-MM-dd HH:mm:ss SSS");

    public String generateExternalPendingRequestId() throws EAAFException {
        try {
            String buildInternalToken = buildInternalToken(Random.nextLongRandom(), DateTime.now());
            return Base64.getUrlEncoder().encodeToString((buildInternalToken + TOKEN_SEPARATOR + Base64.getEncoder().encodeToString(calculateHMAC(buildInternalToken))).getBytes("UTF-8"));
        } catch (UnsupportedEncodingException e) {
            throw new EAAFException("internal.99", new Object[]{e.getMessage()}, e);
        }
    }

    public String getPendingRequestIdWithOutChecks(String str) throws PendingReqIdValidationException {
        return extractTokens(str)[1];
    }

    public String validateAndGetPendingRequestId(String str) throws PendingReqIdValidationException {
        try {
            String[] extractTokens = extractTokens(str);
            String str2 = extractTokens[1];
            DateTime parseDateTime = TOKEN_TEXTUAL_DATE_FORMAT.parseDateTime(extractTokens[0]);
            log.trace("Checking HMAC from externalPendingReqId ... ");
            byte[] decode = Base64.getDecoder().decode(extractTokens[2]);
            byte[] calculateHMAC = calculateHMAC(buildInternalToken(str2, parseDateTime));
            if (!Arrays.equals(decode, calculateHMAC)) {
                log.warn("Digest of Token does NOT match");
                log.debug("Token: {} | Ref: {}", decode, calculateHMAC);
                throw new PendingReqIdValidationException((String) null, "Digest of pendingRequestId does NOT match");
            }
            log.debug("PendingRequestId HMAC digest check successful");
            log.trace("Checking valid period ... ");
            DateTime now = DateTime.now();
            if (!parseDateTime.withFieldAdded(DurationFieldType.seconds(), this.maxPendingRequestIdLifeTime).isBefore(now)) {
                log.debug("Token valid-period check successful");
                return str2;
            }
            log.warn("Token exceeds the valid period");
            log.debug("Token: {} | Now: {}", parseDateTime, now);
            throw new PendingReqIdValidationException(str2, "PendingRequestId exceeds the valid period");
        } catch (IllegalArgumentException | EAAFIllegalStateException e) {
            log.warn("Token is NOT a valid String. Msg: {}", e.getMessage());
            log.debug("TokenValue: {}", str);
            throw new PendingReqIdValidationException((String) null, "PendingReqId is NOT a valid String", e);
        }
    }

    @NonNull
    private String[] extractTokens(@Nullable String str) throws PendingReqIdValidationException {
        if (StringUtils.isEmpty(str)) {
            log.info("PendingReqId is 'null' or empty");
            throw new PendingReqIdValidationException((String) null, "PendingReqId is 'null' or empty");
        }
        log.trace("RAW external pendingReqId: {}", str);
        byte[] decode = Base64.getUrlDecoder().decode(str);
        if (decode.length > 1024) {
            log.warn("pendingReqId size exceeds {}", 1024);
            throw new PendingReqIdValidationException((String) null, "pendingReqId exceeds max.size: 1024");
        }
        String str2 = new String(decode);
        if (StringUtils.countMatches(str2, TOKEN_SEPARATOR) == 2) {
            return StringUtils.split(str2, TOKEN_SEPARATOR, ENCODED_TOKEN_PARTS);
        }
        log.warn("PendingRequestId has an unvalid format");
        log.debug("PendingRequestId: {}", str2);
        throw new PendingReqIdValidationException((String) null, "PendingReqId has an unvalid format");
    }

    @PostConstruct
    private void initialize() throws EAAFConfigurationException {
        log.debug("Initializing " + getClass().getName() + " ... ");
        String basicConfiguration = this.baseConfig.getBasicConfiguration(CONFIG_PROP_PENDINGREQUESTID_DIGIST_SECRET);
        if (StringUtils.isEmpty(basicConfiguration)) {
            throw new EAAFConfigurationException("config.08", new Object[]{CONFIG_PROP_PENDINGREQUESTID_DIGIST_SECRET});
        }
        this.digistAlgorithm = this.baseConfig.getBasicConfiguration(CONFIG_PROP_PENDINGREQUESTID_DIGIST_ALGORITHM, DEFAULT_PENDINGREQUESTID_DIGIST_ALGORITHM);
        this.maxPendingRequestIdLifeTime = Integer.valueOf(this.baseConfig.getBasicConfiguration(CONFIG_PROP_PENDINGREQUESTID_MAX_LIFETIME, DEFAULT_PENDINGREQUESTID_MAX_LIFETIME)).intValue();
        try {
            this.key = SecretKeyFactory.getInstance("PBKDF2WITHHMACSHA256").generateSecret(new PBEKeySpec(basicConfiguration.toCharArray(), this.salt, 10000, 128));
            log.info(getClass().getName() + " initialized with digistAlg: {} and maxLifeTime: {}", this.digistAlgorithm, Integer.valueOf(this.maxPendingRequestIdLifeTime));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            log.error("Can NOT initialize TokenService with configuration object", e);
            throw new EAAFConfigurationException("config.09", new Object[]{CONFIG_PROP_PENDINGREQUESTID_DIGIST_SECRET, "Can NOT generate HMAC key"}, e);
        }
    }

    private String buildInternalToken(String str, DateTime dateTime) {
        return TOKEN_TEXTUAL_DATE_FORMAT.print(dateTime) + TOKEN_SEPARATOR + str;
    }

    private byte[] calculateHMAC(String str) throws EAAFIllegalStateException {
        try {
            Mac mac = Mac.getInstance(this.digistAlgorithm);
            mac.init(this.key);
            return mac.doFinal(str.getBytes("UTF-8"));
        } catch (UnsupportedEncodingException | InvalidKeyException | NoSuchAlgorithmException e) {
            log.error("Can NOT generate secure pendingRequestId", e);
            throw new EAAFIllegalStateException(new Object[]{"Can NOT caluclate digist for secure pendingRequestId"}, e);
        }
    }
}
